Open networks - large public IP spaces, often with relatively loose border controls.

Open systems - frequently systems are not centrally supported, and there can be a wide separation between system security postures across the network.

High bandwidth - universities have bandwidth that many commercial entities and ISPs would be jealous of. Internet 2 connections are typically at least a gigabit, and some universities connect to things like the TeraGrid's 10 - 40 gig research backbone or other specialized high speed networks.

High value data - Social Security numbers, research data, personal data on students, faculty, staff, and donors, and credit card operations are all on the list for most higher ed institutions.

Historically, educational institutions have had relatively open borders. This has changed over the past few years with universities implementing border firewalls and other protections. Universities are still in a somewhat unique position - many have residential networks that act as ISPs for their students and have standards for academic and research freedoms that make a corporate style security architecture difficult, if not impossible.

Watching vendors and other security professionals react to statements along the lines of "well, no, we can't presume that it will be firewall protected" or "we have a class B, and everything we own is on a public IP" can be fun if you enjoy looks of sheer terror.

With attractive and relatively exposed systems - and a population that is often less formally controlled than those in the corporate world (at least in similarly sized institutions), compromises will occur. What do they look like?

Higher education security staff tend to see three attack profiles on systems - and I think that these three attack profiles show the three types of value that compromised systems have for attackers. They are:

1. Zombies - low value systems with no real useful data, smaller hard drives, and low to middling bandwidth. Often these are student machines on residential networks, or standard employee desktops. These systems tend to participate in botnets, and are valuable simply because of numbers and the fact that many are either not detected, or are not cleaned up properly if they are.

2. Storage and bandwidth - these systems are characterized by larger hard drives and bigger pipes. Universities often have relatively large pipes, either thanks to an Internet2 link, a research network link, or simply large commodity Internet upstream connections. Systems that are compromised by an attacker who actually cares about system profiles and that do have bigger drives or more bandwidth continue to be used as storage and distribution points.

3. Jumping off points - every organization has hosts that have sensitive data or that can be used to move through other systems. Your local IT support staff machines are a great jumping off point, and so is a dean's machine, or a business office system. Normally, you will want to focus your forensic efforts on these systems, as they are more likely to have sensitive data - or the keys to the kingdom. A single critical IT worker's machine can let attacks romp through your infrastructure. Most hacks of these machines tend to be detected via system monitoring software - AV and anti-spyware, via user notification, or via one of the methods above.

So how do you deal with these compromise profiles? Your detection and response tactics will likely vary due to your level of control and access.

Zombies can often be found by by monitoring outbound IRC connections or by using netflows and other monitoring technologies to keep track of known bad hosts on the outside. Most normal systems on campus won't be talking to your friendly neighborhood C&C. Since these systems are often outside of the normal support infrastructure for business or academic computing organizations, you have to work with your residential network support or enforce your AUP (you do have an acceptable use policy, don't you?)

Storage and bandwidth oriented hacks may not be reporting into a central C&C - although more and more do dial home. Use your border flows to check for hosts that have very high bandwidth usage - a good tactic is to check your top 10 or top 20 hosts on a daily basis, then filter out the known good hosts, check into the rest, rinse, and repeat. Yes, that public FTP mirror will be high, but why is a grad student's desktop machine in the top 10 for outbound traffic?

Jumping off points are the security analyst's bad day - follow your IR procedures, and make sure you understand what the system had on it, and what access the people who used the system have to other resources. The chain can be long, but following it can help ensure that further compromises don't occur.

The final analysis - at least from my perspective is that higher ed does have high value hosts. Educational institutions cover the spectrum of sensitive data from research data to SSNs and credit card data. In addition, most are highly concerned about their image, meaning that a data breach can cause significant damage to reputation, even if financial losses are smaller.

Where does that leave us? I'll write more about some of the directions that universities are moving in to handle both intrusion and extrusion detection in a coming post.